Bring Your Own Apps – Manage Risk to Reap the Rewards

When we talk about consumerization trends these days we often concentrate on the device, the ‘D’ in BYOD. But enterprise employees have been using consumer-grade applications in the workplace for a lot longer – just think about the popular IM or email clients provided by Yahoo, Google and others for the past 5+ years. Thanks to the ubiquity of cloud computing and powerful smartphones and tablets this trend of Bring Your Own Apps (BYOA) is really gaining pace, and needs to be understood and managed better by IT.

Popular consumer-grade online apps now exist to serve a huge range of needs including online storage and file sharing (eg Dropbox); blogging (WordPress, Blogger); telephony (Skype); social media and engagement (Twitter, Facebook, Hootsuite); and collaboration (Huddle, Yammer). The problem is that, just as with the BYOD trend, these unsanctioned tools have largely crept into the enterprise in an ad hoc, piecemeal manner. Yes, they’re great time-savers and allow users to work in the way they have become accustomed at home, with intuitive, productivity-enhancing tools, but they also bring extra risk into the organization.

The risks mainly stem from the fact that the majority of these apps were not designed to be used in an enterprise environment, with all its associated security policies and controls. They were built primarily with consumers in mind, which can raise issues of data privacy if sensitive corporate information ends up on the servers of a third party company.

While many web firms have strict auditing and data center security controls of their own, the vetting of such providers is something IT managers ideally need to be involved in from the start. Similarly, there are risks around what happens if a cloud provider goes bust or is bought, or even if a member of staff leaves along with their private web account – what happens to the corporate data then?

IT also faces a potential security tsunami if users are allowed to download whatever applications they wish from online app stores. While official iOS and Window Phone channels offer certain protections, Android’s open ecosystem makes it easy for cyber criminals to upload malware-ridden apps masquerading as legitimate software. The volume of Android malware rose from around 30,000 in Q2 to a whopping 175,000 in September according to the Q3 Threat Report from Trend Micro – proof that IT teams need to carefully manage the downloading of apps onto corporate or BYOD devices.

Some tips
IT teams have to realize that BYOA is happening because users find consumer tools much easier to use and more readily available than their enterprise equivalents. IT therefore needs to harness the obvious benefits of continued use of consumer-grade apps while putting in place the practices and policies to manage them securely.

The following steps should help start the process:
• Draw up clear policies on the use of consumer applications in the workplace and detail the process for reviewing new tools.
• Once agreed upon, communicate the policies to employees. Remind employees of these policies regularly, alongside other ongoing communications on IT policies.
• Audit existing tools in use in the organization, then decide which ones can be kept and managed securely.
• Establish platform owners for each that are responsible for keeping infosecurity teams updated of any changes.
• Suggest logical points of consolidation between teams – i.e.: all social teams on TweetDeck or Hootsuite, not both – or upgrade to an enterprise grade equivalent.
• Consider client security and mobile device management for all BYOD and corporate devices to ensure only safe and pre-approved apps can be downloaded.

Have you run into BYOA in your organization? Which consumer apps turn up most frequently on your teams’ systems?

http://twitter.com/gizkur darcy wrench

One way to manage this is with a new technology that allows you to give access to only specific apps or sites, and then parse the data onto a corporate or personal bill–all on one device. So you can have one device with always-on availailability to corporate security, asset tracking, email, and CRM that is billed to the corporate account, along with facebook, twitter, and personal email billed to their personal account. Here is a 4 part series that discusses the future of mobile data in a BYOx world